---
description: Hasura Cloud Standard, Professional, and Hasura Enterprise API limits
keywords:
  - hasura
  - docs
  - cloud
  - enterprise
  - security
  - limits
sidebar_position: 5
sidebar_label: API limits
sidebar_class_name: cloud-and-enterprise-icon
title: 'Cloud & Enterprise Edition: API Limits'
---

import Thumbnail from '@site/src/components/Thumbnail';
import HeadingIcon from '@site/src/components/HeadingIcon';
import ProductBadge from '@site/src/components/ProductBadge';

# API Limits

<ProductBadge pro ee self />

## Introduction

Limiting the depth and/or rate of API requests can help prevent API performance issues caused by malicious or poorly
implemented queries.

## API limit types

API limits are defined by **role** (e.g. anonymous, user) and can restrict request rate, depth, or both. Unique request
parameters can include IP address or session variables (_x-hasura-user-id_, _x-hasura-org-id_, etc.)

### Rate limits

Restricts number of GraphQL operations per minute. This uses a sliding window approach. This means whenever Hasura Pro
receives a request, it will count the rate of that client starting from the current time to last one minute.

By default, the rate-limit happens on the `role_name` i.e the value provided in `X-HASURA-ROLE`. But you can also
combine additional unique parameters for more granularity.

The Unique Parameters that are provided are:

1.  IP Address
2.  Session Variables

You can choose any one of the above parameters to rate limit the requests.

**Note**: If you set a `Unique Parameter` then the combination of both the `role_name` and the `Unique Parameter` will
be used to rate-limit requests.

:::info Note

To enable rate limiting on Hasura Enterprise, you must set the
[`HASURA_GRAPHQL_RATE_LIMIT_REDIS_URL`](/deployment/graphql-engine-flags/reference.mdx#rate-limit-redis-url) environment
variable or the [`--rate-limit-redis-url`](/deployment/graphql-engine-flags/reference.mdx#rate-limit-redis-url) server
flag with the appropriate Redis connection string.

:::

Example:

If you rate-limit using the `role_name` and set the unique parameter for the rate-limit as `IP Address`, then rate-limit
will be applied depending on both those parameters. i.e If the requests come from a different role but same IP address
will **NOT** be rate limited

### Depth limits

Restricts a GraphQL operation based on its depth, preventing deeply nested queries.

:::info Note

GraphQL introspection queries are excluded from depth limits.

:::

You can see various queries as examples and their depths here:

```graphql
# depth = 1
query deep1_1 {
  viewer {
    name
  }
}

query deep1_2 {
  viewer {
    ... on User {
      name
    }
  }
}

# depth = 2
query deep2 {
  viewer {
    albums {
      title
    }
  }
}

# depth = 3
query deep3 {
  viewer {
    albums {
      ...musicInfo
      songs {
        ...musicInfo
      }
    }
  }
}

fragment musicInfo on Music {
  id
  title
  artists
}
```

### Node limits

Restricts a GraphQL operation based on the number of nodes. This helps in limiting the number of different pieces of
related data to be fetched.

A node is defined as a field with a selection set.

For example, in the below query the number of nodes is 3 and they are `author`, `articles` and `homepage_entries`.

```graphql
{
  author {
    name
    articles {
      id
      title
    }
  }
  homepage_entries {
    article_id
  }
}
```

### Time limits

Restricts the time that a GraphQL operation is allowed to take. The duration is specified in seconds.

Any upstream database queries are also cancelled for supported sources. Currently, cancellation only works for Postgres
sources.

:::info Time limits on Hasura Cloud projects

All Free tier and Professional tier Hasura Cloud projects get a time limit of 60 seconds. When the cloud limit is hit,
the error contains the code `tenant-time-limit-exceeded` in the error message. This limit can be increased for Enterprise
users by reaching out to support.

:::

### Batch Limits

Restricts the number of GraphQL operations in a
[batched request](/api-reference/graphql-api/index.mdx#batching-requests).

For example, the below request has 3 query operations which will not be allowed if the batch limit is set to 2.

```graphql
query query1 {
  artists {
    name
    albums {
      name
    }
  }
}

query query2 {
  playlist {
    name
    songs {
      name
    }
  }
}

query query3 {
  songs {
    name
    artists {
      name
    }
  }
}
```

## Manage API limits

API limits can have a _global_ or _per role_ configuration. If an incoming request does not contain a valid role then
the global limit is applied.

<Thumbnail src="/img/security/pro-tab-apilimits.png" alt="Hasura Cloud Console api limit tab" />
<Thumbnail src="/img/security/security-apilimits-details.png" alt="Hasura Cloud Console api limit tab details" />

:::info Admin & IntrospectionQuery exemptions

All API limits are **not** applied for the admin role, and depth limits are **NOT** applied to introspection queries.

:::

## Metadata specification

This [API Reference Documentation](/api-reference/metadata-api/api-limits.mdx) describes the metadata API structure to
manage API limits.
